[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

[linux-security] Re: Named Overlow Concern



> I am running Linux 2.0.30 (Redhat 4.2) and have recently been hacked.
> 
> I have tightened up security but still feel vulnerable.

This is kind of obvious, but there have been several security problems
found and fixed in the kernel itself since 2.0.30, notably the SIGIO, IP
fragmentation, teardrop, and Pentium f0 0f problems. 

> In running the program mscan which was kindly left on my system I get this.
> 
> 	bullnet.co.uk: VULN: linux box vulnerable to named overflow.
> 	194.242.135.145: VULN: redhat linux box running imapd.
> 
> This is after upgrading to the versions as below.
> 	bind-4_9_7-0
> 	imap-4.1.final-0
> 
> Should I be concerned.

No.  The source for mscan is available on www.rootshell.com.  I took a
quick look at it.  It seems to just try connecting to an IMAP or DNS
server, and says the server is vulnerable if it succeeds.  According to
http://www.ciac.org/ciac/bulletins/i-044a.shtml, BIND 4.9.7 doesn't have
the buffer overflow for inverse queries.  The release notes for imap
4.3-BETA on ftp.cac.washington.edu:/mail/ don't mention any
security-related changes since version 4.1. 

This is somewhat obvious too, and doesn't seem to apply here, but a
distribution's foo-1.0-9 is foo 1.0 with the distributor's ninth revision
of its own changes, which may have some fixes that are otherwise available
only in foo 1.1 (or in another distribution with its own changes, of
course).  If you see an old notice that foo 1.0 has a bug, it may not
apply to your foo. 

[mod: Red Hat had a fixed bind-4.9.6 out for a while. To prevent this
confusion they now use the bind-4.9.7 based distribution. -- REW]

__
Trevor Johnson



[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]